Custom Permission and SecurityManager .IsGranted

After reading Eugene Bobukh's blog entry about creating custom
non-CAS permissions, I developed a few custom permissions to
satisfy the needs of an application I'm currently working on.

For reference, the blog entry I'm referring to can be found
here:

http://blogs.msdn.com/eugene_bobukh/.../10/87645.aspx

Everything Eugene talked about works fine, but one thing that
doesn't seem to work is using custom permissions with the
SecurityManager .IsGranted method. When
SecurityManager .IsGranted is called, IPermission.IsS ubsetOf gets
called as well, but the IPermission target parameter is always
null. I verified that this happens with Euguene's sample code
as well.

For example:

WorkingTimePerm ission p = new WorkingTimePerm ission();

if (SecurityManage r.IsGranted(p))
{
// Enable application UI tabs which should be available
only during
working hours.
}

When stepping through the code, SecurityManager .IsGranted does
some processing and then WorkingTimePerm ission.IsSubset Of gets
called, but with a null IPermission target parameter.

Can anyone shed some light on why this may be happening?

"=?Utf-8?B?SmFzb24=?=" <Ja***@discussi ons.microsoft.c om> wrote in
news:8F******** *************** ***********@mic rosoft.com:

After reading Eugene Bobukh's blog entry about creating custom
non-CAS permissions, I developed a few custom permissions to
satisfy the needs of an application I'm currently working on.

For reference, the blog entry I'm referring to can be found
here:

http://blogs.msdn.com/eugene_bobukh/.../10/87645.aspx

Everything Eugene talked about works fine, but one thing that
doesn't seem to work is using custom permissions with the
SecurityManager .IsGranted method. When
SecurityManager .IsGranted is called, IPermission.IsS ubsetOf gets
called as well, but the IPermission target parameter is always
null. I verified that this happens with Euguene's sample code
as well.

For example:

WorkingTimePerm ission p = new WorkingTimePerm ission();

if (SecurityManage r.IsGranted(p))
{
// Enable application UI tabs which should be available
only during
working hours.
}

When stepping through the code, SecurityManager .IsGranted does
some processing and then WorkingTimePerm ission.IsSubset Of gets
called, but with a null IPermission target parameter.

Can anyone shed some light on why this may be happening?

Jason,

SecurityManager .IsGranted() determines whether a permission is
granted by examining the CAS permissions that have been granted by
the administrator. Since WorkingTimePerm ission is a non-CAS
permission, that means the security policies set by the administrator
have no impact regarding that permission. In other words, there is
no way for an administrator to grant or revoke a
WorkingTimePerm ission. Therefore SecurityManager .IsGranted() will
always return false for WorkingTimePerm ission().

WorkingTimePerm ission.Demand() is the method to use:
WorkingTimePerm ission p = new WorkingTimePerm ission();

try
{
p.Demand();
// If code gets here, then the permission was granted.

// Enable application UI tabs which should be available
// only during working hours.
}
catch (SecurityExcept ion ex)
{
// Permission was not granted.
}
--
Hope this helps.

Chris.
-------------
C.R. Timmons Consulting, Inc.
http://www.crtimmonsinc.com/

After digging through the rotor source, I was able to determine
just that; IsGranted won't work with non-CAS permissions.
Jason,

Are you familiar with Reflector? It's a great utility for
disassembling the .Net framework methods to find out what's really
being executed:

http://www.aisto.com/roeder/dotnet/
Having said that though, what's the best method for applications
to use when they want to know if a demand will fail without
having to catch SecurityExcepti on? I'm looking for a simple
method like IsGranted that returns bool. It looks exactly like
that's what IsGranted was tailored to do.
It took me a while to get used to CAS vs. non-CAS permissions, and
to realize that key phrases like "security policies" and "policy"
only apply to CAS permissions. Once I got comfortable with that,
deciphering apparently innocent help entries like
SecurityManager .IsGranted's Remarks section became much easier:

"Granting of permissions is determined by policy..."

This implies - but doesn't explicitly state - that the method only
works with CAS permissions, because it is checking the current
security policy. It takes some getting used to.

I don't think there's a method in the framework that could
take a WorkingTimePerm ission parameter and determine if
its permission had been granted. Non-CAS permissions are what
I would dub "stand alone" permissions. They are unique by
nature and have no required dependencies except for IPermission.
All CAS permissions, on the other hand, are tied to the security
policies set by the administrator.

However, there is nothing to prevent you from creating your
own SecurityManager-type class that handles both CAS and
non-CAS permissions:
using System.Security ;

// Untested.
public class MySecurityManag er
{
// Usage: MySecurityManag er.IsGranted(pe rmissionInstanc e);

public static bool IsGranted(objec t perm)
{
// perm descends from CodeAccessPermi ssion, so it's a
// CAS permission.
if (perm is CodeAccessPermi ssion)
return SecurityManager .IsGranted(perm as IPermission);

// perm does not descend from CodeAccessPermi ssion,
// but it implements the IPermission interface.
// That means it's a non-CAS permission.
if (perm is IPermission)
{
try
{
(perm as IPermission).De mand();
return true;
catch
{
return false;
}
}

// perm is not a permission.
return false;
}
}
Also, is there a
reason IsGranted isn't verifying that the IPermission provided
is CAS related?

"=?Utf-8?B?SmFzb24=?=" <Ja***@discussi ons.microsoft.c om> wrote in
news:C1******** *************** ***********@mic rosoft.com:

After digging through the rotor source, I was able to determine
just that; IsGranted won't work with non-CAS permissions.
Jason,

Are you familiar with Reflector? It's a great utility for
disassembling the .Net framework methods to find out what's really
being executed:

http://www.aisto.com/roeder/dotnet/

Yep, I use Reflector all the time. I happened to be looking at some of the
Rotor source earlier so that that was a easier route at the time. But I
agree, Reflector is a godsend.

Having said that though, what's the best method for applications
to use when they want to know if a demand will fail without
having to catch SecurityExcepti on? I'm looking for a simple
method like IsGranted that returns bool. It looks exactly like
that's what IsGranted was tailored to do.
It took me a while to get used to CAS vs. non-CAS permissions, and
to realize that key phrases like "security policies" and "policy"
only apply to CAS permissions. Once I got comfortable with that,
deciphering apparently innocent help entries like
SecurityManager .IsGranted's Remarks section became much easier:

"Granting of permissions is determined by policy..."

This implies - but doesn't explicitly state - that the method only
works with CAS permissions, because it is checking the current
security policy. It takes some getting used to.

Thanks for the explaination. After spending a few days getting intimitely
familiar with the .NET security system, everything is making a lot more sense.

I don't think there's a method in the framework that could
take a WorkingTimePerm ission parameter and determine if
its permission had been granted. Non-CAS permissions are what
I would dub "stand alone" permissions. They are unique by
nature and have no required dependencies except for IPermission.
All CAS permissions, on the other hand, are tied to the security
policies set by the administrator.

However, there is nothing to prevent you from creating your
own SecurityManager-type class that handles both CAS and
non-CAS permissions:

I figured as much. I already have a SecurityManager like class in version 1
of the security library I developed for the last version of our product that
I'll easily integrate a similar method into. I am mainly concerned about
those developers who out of ignorance assume it's ok to pass my non-CAS
IPermission implementations into SecurityManager .IsGranted.

Thanks again for your help!

using System.Security ;

// Untested.
public class MySecurityManag er
{
// Usage: MySecurityManag er.IsGranted(pe rmissionInstanc e);

public static bool IsGranted(objec t perm)
{
// perm descends from CodeAccessPermi ssion, so it's a
// CAS permission.
if (perm is CodeAccessPermi ssion)
return SecurityManager .IsGranted(perm as IPermission);

// perm does not descend from CodeAccessPermi ssion,
// but it implements the IPermission interface.
// That means it's a non-CAS permission.
if (perm is IPermission)
{
try
{
(perm as IPermission).De mand();
return true;
catch
{
return false;
}
}

// perm is not a permission.
return false;
}
}

Also, is there a
reason IsGranted isn't verifying that the IPermission provided
is CAS related?

Yes, there is. SecurityManager .IsGranted takes an IPermission
parameter. IPermission provides no way of determining the
parentage of the perm parameter. So IsGranted can't tell if the
permisson descended from CodeAccessPermi ssion or not.

--
Hope this helps.

Chris.
-------------
C.R. Timmons Consulting, Inc.
http://www.crtimmonsinc.com/